How C-Suite it is: Executives finally give cybersecurity its due

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

(Editor’s note: The tenor of dis­cus­sions at the RSA Con­fer­ence in San Fran­cis­co last month was dis­tinc­tive­ly dif­fer­ent than in years past. In this guest essay, Mike Potts, CEO of net­work secu­ri­ty firm Lan­cope, relates what he heard.) (Edit­ed for clar­i­ty and length.)

By Mike Potts, Spe­cial to Third­Cer­tain­ty

Anoth­er RSA Con­fer­ence is behind us, and we over­heard secu­ri­ty pro­fes­sion­als speak­ing their own lan­guage, using terms such as  “APTs“ and “zero-day threats.”

While these sound like jar­gon, they rep­re­sent impor­tant cyber­se­cu­ri­ty con­cepts that have often flown over the col­lec­tive heads of C-Suite executives—until today.  Cyber­se­cu­ri­ty is final­ly being rec­og­nized as a busi­ness dis­ci­pline that direct­ly affects an organization’s goals, caus­ing the C-Suite to sit up and lis­ten.

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

The dam­ag­ing data breach­es suf­fered by high-pro­file com­pa­nies such as  Tar­get, Sony, Home Depot and JPMor­gan Chase helped ele­vate the issue of cyber­se­cu­ri­ty. While the mechan­ics of iden­ti­fy­ing and reme­di­at­ing attacks may reside with the infor­ma­tion tech­nol­o­gy team, cyber­se­cu­ri­ty has become a com­pa­ny­wide effort that the lead­er­ship team must over­see.

With cyber­se­cu­ri­ty in the spot­light, CEOs need to con­sid­er three cru­cial ques­tions:

  • What must be done to pro­vide secu­ri­ty admin­is­tra­tors with net­work vis­i­bil­i­ty to man­age the inter­nal and exter­nal secu­ri­ty threats?
  • What is the company’s inci­dent response plan?
  • What will be done to min­i­mize the dam­age done by the inevitable attack?

Many For­tune 500 enter­pris­es are form­ing cyber­se­cu­ri­ty sub­com­mit­tees to answer these ques­tions, trans­lat­ing the dis­cus­sion into busi­ness terms on which the C-Suite can under­stand and act.

The cyber­se­cu­ri­ty dis­cus­sion is chang­ing. We’re not talk­ing about if and when we’ll be attacked. We know it’s like­ly bad guys already are in the net­work.

To com­pli­cate mat­ters, we’re on the lead­ing edge of the Inter­net of Things. An increas­ing num­ber of machines, from print­ers to refrig­er­a­tors to heart mon­i­tors, have a unique IP address and can com­mu­ni­cate with one anoth­er. This cre­ates cyber­se­cu­ri­ty vul­ner­a­bil­i­ties that will affect vir­tu­al­ly every indus­try.

Many com­pa­nies hit by a breach don’t real­ize the dam­age has been done until a third par­ty, such as the Jus­tice Depart­ment or a bank, alerts them, a clear sig­nal that the era of Secu­ri­ty 1.0, with com­pa­ny bud­gets devot­ed to block­ing out­side threats, is past.

So wel­come to Secu­ri­ty 2.0. In this world, attack­ers are increas­ing­ly sophis­ti­cat­ed and capa­ble of bypass­ing tra­di­tion­al net­work perime­ter secu­ri­ty defens­es. The threat of an insid­er attack is higher—about 51 percent—than that from an out­sider. which  is why hav­ing a real-time view inside a net­work is crit­i­cal.

I’m not sug­gest­ing that orga­ni­za­tions aban­don perime­ter defens­es. but com­pa­nies and gov­ern­ment enti­ties can’t rely on such tools alone to ade­quate­ly secure net­works. Out­siders can break through, and insid­ers can open the door.

In the era of Secu­ri­ty 2.0, the C-Suite is final­ly giv­ing infor­ma­tion secu­ri­ty the atten­tion it needs.

Free IDT911 white paper: Breach, Pri­va­cy, And  Cyber Cov­er­ages: Fact And Fic­tion

Posted in Cybersecurity, Featured Story